Scribd Logo
Upload

Welcome to Scribd!

  • SNAA SG Vol 4

    Uploaded by

    Juanan Palmer
    26 views66 pages

    Original Title

    SNAA_SG_Vol_4

    Copyright

    © © All Rights Reserved

    Available Formats

    PDF or read online from Scribd

    Did you find this document useful?

    Is this content inappropriate?

    Report this Document

    Copyright:

    © All Rights Reserved
    Download as PDF or read online from Scribd
    Flag for inappropriate content
    26 views66 pages

    SNAA SG Vol 4

    Uploaded by

    Juanan Palmer

    Copyright:

    © All Rights Reserved
    Download as PDF or read online from Scribd
    Flag for inappropriate content
    of 66
    SNAA Securing Networks with Cisco ASA Advanced Volume 4 Version 1.0 Student Guide Text Part Number: 97-2732.01 cisco. [DISCLAIMER WARRANTY: THIS CONTENT IS BEING PROVIDED “AS IS" CISCO MAKES AND YOU RECEIVE NO WARRANTIES IN |CONNECTION WITH THE CONTENT PROVIDED HEREUNDER, EXPRESS, IMPLIED, STATUTORY OR IN ANY OTHER PROVISION OF [THIS CONTENT OR COMMUNICATION BETWEEN CISCO AND YOU. CISCO SPECIFICALLY DISCLAIMS ALL IMPLIED WARRANTIES. INCLUDING WARRANTIES OF MERCHANTABILITY, NON-INFRINGEMENT AND FITNESS FOR A PARTICULAR. IPURPOSE, OR ARISING FROM A COURSE OF DEALING. USAGE OR TRADE PRACTICE. This learning product ay contain eatly release content, and while Cisco believes it to be accurate, i fll subject wo the disclaimer above. Printed in Canada Table of Contents Volume 4 Handling Multimedia Protocols Al-1 Overview At Objectives AL Multimedia Protocol Handling Overview Al2 RTSP Inspection AL H.323 Inspection AI9 SIP Inspection A114 SCCP Inspection A119 CTIQBE Inspection A1-22 MGCP Inspection A1-24 Verifying Multimedia Support A127 Summary A1-38 Using Cisco ASA Multicast A2-1 Overview A241 Objectives AZ Multicast A22 IGMP A26 PIM A241 Static Multicast Routing A216 Verify and Troubleshoot A219 Summary 2-24 ‘Securing Networks with ASA Advanced (SNAA) v1.0 ©2008 Cisco Systems, Inc Appendix 1 | Handling Multimedia Protocols Overview This appendix explains how the Cisco ASA adaptive security appliance handles multimedia protocols and shows how to configure multimedia protocol handling, Objectives This appendix includes these components: Multimedia protocol handling capabilities of the Cisco ASA security appliance Configure RTSP inspection = Configure H.323 inspection = Configure SIP inspection ™ Configure SCCP inspection = Configure CTIQBE inspection = Configure MGCP inspection = Verify and troubleshoot multimedia inspection Multimedia Protocol Handling Overview topic presents an overview of multimedia protocol handling. Why Muitimedia Is an Issue * Multimedia applications behave in unique ways: ‘They use dynamic ports, ee meee § aoe ‘multimedia connections ‘Aastona ~ Supports multimedia with or 7 bP oro: without NAT ‘han pore may be opened Multimedia applications can transmit requests on TCP, get responses on User Datagram Protocol (UDP) or TCP, use dynamic ports, use the same port for source and destination, and so on. Every applicati a different way. Implementing support for all multimedia applications using a single secure method is very difficult. Two examples of multimedia applications follow: = RealAudio: Sends the originating request to TCP port 7070. The RealAudio server replies with multiple UDP streams anywhere from UDP port 6970 through 7170 on the client machine. ™ Cisco IP phone: Sends the Skinny Client Control Protocol (SCCP) messages to the call manager on TCP port 2000. SCCP uses Real-Time Transport Protocol (RTP) and RTP. Control Protocol (RTCP) for media transmissions. The UDP media ports are randomly selected by the Cisco IP phone. ‘The Cisco ASA security appliance dynamically opens and closes UDP ports for secure multimedia connections. You do not need to open a large range of ports, which creates a security risk, nor do you have to reconfigure any application clients. Also, the Cisco ASA security appliance supports multimedia with or without Network Address Translation (NAT). Many security appliances that cannot support multimedia with NAT limit multimedia usage to only registered users or require exposure of inside IP addresses to the Internet. Lack of support for multimedia with NAT often forces multimedia vendors to join in proprietary alliances with security appliance vendors to accomplish compatibility for their applications, ‘1-2 Securing Networks with Cisco ASA Advanced (SNA) v1.0 © 2008 Cisco Systems, inc. Application Inspection and Control for Voice and Video SIP, SCCP, MGCP, H.323 vt-v4, RIPIRTCP, GTP, CTIOBE, RTSP. Dynamically open and close ports for gateways, endpoints and applications, NAT {and PAT support for SIP. SCCP_H 33 Protocol conformance and compliance: inspection for ‘malformed packets, RTP media, signaling, messages in signaling, Rate iit against DoS attacks, Filter on whitelist, blackist, caller, called party, domains, services (iM). Ensure only Policy registered phones are alowed to place calls, Voice and Video| Inspection of encrypted signaling while maintaining Confidentiality | confidentiality ofencrypted phone calls, Many multifunctional security devices are strong in one area and weak in the others, which ean Fequire you to give up certain security features. With the Cisco ASA security appliance, this is not necessary. The security appliance is built from the best of Cisco security technologies, all of which are built on a foundation of network intelligence, As a result, the Cisco ASA security appliance is network aware, and thus will not impair network traffic and applications, such as VoIP or virtualized networks. The Cisco ASA security appliance provides inspections for the following multimedia applications. ™ Real Time Streaming Protocol (RTSP) = 323 = Session Initiation Protocol (SIP) . SCCP (Skinny) = Media Gateway Control Protocol (MGCP) = Computer Telephony Interface Quick Buffer Encoding (CTIQBE) You can configure advanced protocol inspection for the following multimedia applications. The inspection engines for these applications enable you to control additional parameters when you apply the inspection to the traffie: = RTSP = 323 = SIP = SCCP (Skinny) = MGCP (© 2008 Cisco Systems, Inc. Handling Multimedia Protocols A1-3 RTSP Inspection This topic describes RTSP inspection and explains how to configure it Real Time Streaming Protocol + RTSP uses one TCP and two» RTSP-TCP-only mode does UDP channels. ‘not require special handling aor peraport oper by the Cisco ASA security ae appliance. aoe Supported applications: 5 Teen Cisco IPTV . el jync or resend chan nm -RTCP cae RealNetworks i =n » RealAudio = RealPlayer » RealServer RTSP is a real-time audio and video delivery control protocol used by many popular multimedia applications. It uses one TCP channel and multiple UDP channels. The TCP channel is the control channel and is used to negotiate the UDP delivery channels depending on the transport mode, RTP, or Session Description Protocol (SDP) that is configured on the client. RTSP applications use the well-known port 554, usually TCP, rarely UDP, Cisco ASA security appliances support TCP only The first UDP channel is the data connection; it can use one of the following transport modes: = RTP RealNetworks Mata Transport (RDT) protocol The second UDP channel is a data connection feedback channel: mode: = RTCP = UDP resend it can use one of the following, RTSP supports a TCP-only mode. This mode contains only one TCP connection, which is as the control and data channels. Because this mode contains only one constant standard TCP connection, no special handling is required by the security appliance. Ata ‘Securing Networks with Cisco ASA Advanced (SNAA) v1.0 © 2008 Cisco Systems, Inc. The following are RTSP applications that Cisco ASA security appliances support: = Cisco IPTV = Apple QuickTime 4 ® RealNetworks — RealAudio — RealPlayer — _ RealServer Note RealNetworks ROT multicast is not supported. RTSP Inspection Client ==> Sever Server + ys f <= Cent “3-4 See anager = oa ap TOP Daa, * By default, the Cisco ASA security appliance inspects RTSP connections * RTSP dynamically opens UDP connections as required. * Ifdisabled ~ UDP transport modes are disallowed. ~ TCP transport modes are allowed. (TCP connection rules apply.) By default, the Cisco ASA security appliance inspects port 554 for RTSP connections. If you have devices in the network using ports other than port 554 for RTSP, you nved to identify these other traffic flows with their different RTSP port numbers. RTSP inspection causes the security appliance to create dynamic openings for UDP channels for RTSP traffic. If RTSP nspection is not enabled, neither outbound nor inbound RTSP will work properly on that port © 2008 Cisco Systems, Inc. Handling Mutimedia Protocols AI-S. Configuring Advanced RTSP Inspection Firewall ——+ Gnome a De me You can configure Layer 7 policy maps for RTSP from the RTSP panel in Cisco Adaptive Security Device Manager (ASDM). To access this panel, click Configuration in the Cisco ASDM tool bar, expand the Objects menu, expand the Inspect Maps menu, and click RTSP. After configuring the Layer 7 RTSP map, create a service policy rule to apply it to a Layer 3/4 policy map, and activate it. ‘AV6 Securing Networks with Cisco ASA Advanced (SNA) v1.0 © 2008 Cisco Systems, Inc Standard RTP Mode Sever <== Client * In standard RTP mode, RTP uses re —¥ tive channels ae Lt ~ Control connection (TCP) ep Gans RTP data (simplex UDP) TCP reports (duplex UOP) = For outbound sonnections, the Cisco ASA security appliance opens ‘inbound ports for RTP data and RTCP reports For inbound connections, if an ACL exists, the secunty appliance handles Standard RTP mode a8 follows: ‘special handling is required. ‘If outbound traffic is not allowed, a it opens outbound ports for RTP aod [frie rrr In standard RTP mode, the following three channels are used by RTSP: = TCP control channel: Standard ICP connection that is initiated from the client to the server. © RTP data channel: Simplex (unidirectional) UDP session for media delivery that is using the RTP packet format from the server to the client. The client port is always an even- numbered port. = RICP reports: Duplex (bidirectional) UDP session that is used to provide synchronization nformation to the client and packet loss information to the server. The RTCP port is always the next consecutive port from the RTP data port. For standard RTP mode RTSP traffic, the Cisco ASA security appliance behaves in the following manner: © Outbound connections: Afier the client and the server negotiate the transport mode a the ports to use for the sessions, the security appliance creates temporary inbound dynamic openings for the RTP data channel and RCP report channel from the server = Inbound connections: — Ian access control list (ACL) exists that allows inbound connections to an RTSP. server, and if all outbound UDP traffic is implicitly allowed, no special handling is required because the server initiates the data and report channels from the inside. _> Ifan ACL exists that allows inbound connections to an RTSP server, and if all outbound TCP traffic is nor implicitly allowed, the security appliance creates temporary dynamic openings for the data and report channels from the server. Note ‘The Cisco ASA security appliance also can inspect Cisco voice and video communications. encrypted with Secure RTP (SRTP) and Transport Layer Security (TLS). This maintains integrity and confidentiality of a call while enforcing @ security policy throught advanrved SIP and SCCP firewall services, © 2008 Cisco Systems, Inc Handling Mutimedia Protocols. 1-7 RealNetworks RDT Mode Sever <==3 Client + Rams RY a Se ty! Contol connection (TCP) ~ UDP data (simplex UDP) ~ UDP resend (simplex UDP) For outbound connection, the Cisco ASA secur applance nancies RealNetworks Vf ouound atic s alowed, opens 2 ‘inbound port or UDP ata ~ toutbound atc 6 no owes, opens ‘an ound por fr UDP data and an ‘utbound pa for UDP resend For inbound connections an ACL. ex secuniy applanca hands RealNetworks ROT mose as otows: ~ outoound afc is alowed opens an Inbound pot for UDP resend ~ outbound wai ot lowed, # opens ‘an eutbound prt for UDP data ar! an intoune part for UDP resend In RealNetworks RDT mode, the following three channels are used by RTSP: = TCP contr server chamnel: Standard TCF connection that 1s mitiated trom the client to the = UDP data channel: Simplex (unidirectional) UDP session for media delivery that is using the standard UDP packet format from the server to the client = UDP resend: Simplex (unidirectional) UDP session used for the client to request that the server resend lost data packets For RealNetworks RDT mode RSP traffic, the Cisco ASA security appliance behaves in the following manner: = Outbound connections: — _ Ifoutbound UDP traffic is implicitly allowed, and after the client and the server negotiate the transport mode and the ports to use for the session, the security appliance creates temporary inbound openings for the UDP data channel from the server. — Ifoutbound UDP traffic is vor implicitly allowed, and afier the client and the server negotiate the transport mode and the ports to use for the session, the security app! creates a temporary inbound opening for the UDP data channel from the server an temporary outbound opening for the UDP resend channel from the cl = Inbound connections: — Ian ACL exists that allows inbound connections to an RTSP server, and if all outbound UDP traffic is implicitly allowed, the security appliance creates a temporary inbound opening for the UDP resend from the client — Ifan ACL exists that allows inbound connections to an RTSP server, and if'all outbound TCP traffic is nor implicitly allowed, the security appliance creates temporary openings for the UDP data and UDP resend channels from the server and client, respectively. Ai-8 Securing Networks with Cisco ASA Advanced (SNAA) v1.0 (© 2008 Cisco Systems, Inc H.323 Inspection This topic describes H.323 inspection and explains how to configure it H.323 Overview Cliont = -g-— H.225—cal gn Gatekeopor Uses signaling channel (H.225/.931) + Negotiates endpoint capabilities (H.245) * Opens dynamic media sessions (RTP/RTCP) 1.323 is more complicated than other traditional protocols because it uses two TCP connections and four to six UDP sessions for a single “call.” (Only one of the TCP connections goes to a well-known port; all of the other ports are negotiated and are temporary.) Furthermore, the content of the streams is far more difficult for security appliances to understand because H.323 encodes packets using Abstract Syntax Notation One (ASN.1), The call-signaling function uses H.225 call signaling to establish a connection between H.323 endpoints. In systems that do not have a gatekeeper, the call-signaling channel is opened between the two endpoints that are involved in the call. In systems that contain a gatekeeper, the call-signaling channel is opened between the endpoints and the gatekeeper or between the ‘endpoints themselves as chosen by the gatekeeper. The Cisco ASA security appliance dynamically allocates the H.245 connection based on the inspection of the H.225 messages. (© 2008 Cisco Systems, inc. Handling Multimedia Protocols A1-9 H.323 Inspection Gatekeeper é Client ys pt Roe secon |_| Defines ports for H.323 connections (default = 1720) Dynamically allocates the negotiated H.245, RTP, and RTCP. connections Performs NAT on the necessary embedded IP version 4 ‘addresses in the H.225 and H 245 messages. disabled, H.323 applications are disallowed 1.323 inspection provides support for H.323-compliant applications such as Cisco Unified Communications Manager and VocalTee Gatekeeper H 393 is a suite of protocols defined by the ITU for multimedia conferences over LANs. The Cisco ASA security appliance supports 11.323 version 1 through H.323 version 4 messages. With H.323 inspection enabled, the security appliance supports multiple calls on the same call- signaling channel, a feature introduced with H.323 version 3. This feature reduces call-setup time and reduces the use of ports on the security appliance. ‘The two major functions of H.323 inspection are as follows: Perform NAT on the necessary embedded IP version 4 addresses in the H.225 and H.245 messages. Because H.323 messages are encoded in packed encoding rule (PER) format, the security appliance uses an ASN.1 decoder to decode the H.323 messages. = Dynamically allocate the negotiated H.245, RTP, and RTCP connections The Cisco ASA security appliance dynamically allocates the H.245 connection based on the inspection of the H.225 messages. The H.245 control function uses the H.245 control channel to carry end-to-end control messages governing operations of the H.323 entity, including capabilities exchange, opening and closing logical channels that carry the audio-video and data information, mode preferences, and so on. The endpoint establishes one H.245 control channel for each call. The endpoints can establish multiple multimedia logical channels using RTP and RTCP. Within each H.245 message, the H.323 endpoints exchange port numbers that are used for subsequent UDP media streams. The H.323 inspection application inspects the H.245 messages to identify these ports and dynamically creates connections for the media exchange. RTP uses the negotiated port number, and RTCP uses the next-higher port number. Ato ‘Securing Networks with Cisco ASA Advanced (SNAA) v1.0 © 2008 Cisco Systems, Inc The H.323 control channel handles H.225, H.245, and H.323. H.323 inspection uses the following ports. = 1718: Gatekeeper discovery UDP port = 1719: Regulation, Admission, and Status (RAS) UDP port = 1720: TCP control port By default, the Cisco ASA security appliance inspects port 1720 connections for H.323 trafic If there are network devices using ports other than the default ports, you need to use a class map to identify these other traffic flows with their different port numbers. The following are some of the known issues and limitations of H.323 application inspection: = Static Port Address Translation (PAT) may not properly translate IP addresses embedded in optional fields within 11.323 messages. If you experience this, static PAT with H.323. ind of problem, do not use = 1.323 application inspection is not supported with NAT between same-security-level interfaces. = When a Microsoft Windows NetMeeting client registers with an H.323 gatekeeper and tries to call an H.323 gateway that also is registered with the H.323 gatekeeper, the connection is established, but no voice is heard in either direction. This problem is unrelated to the security appliance. ™ Ifyou configure a network static address where the network static addre: third-party netmask and addiess, any outbound H.323 connection fails. is the same as a (© 2008 Cisco Systems, Inc Handling Multimedia Protocols 1-11 In Layer 7 class maps and policy maps for H.323, you can configure the Cisco ASA sec Advanced H.323 Inspection , ey Gatekeeper i * Blocks rogue callers by filtering on vy called and calling phone numbers ail * Restricts call duration — HRS cpabaes * Tracks protocol state RIP Sesnone * Blocks H.323 services such as chat and whiteboard while allowing normal audio and video traffic Prevents RAS and H.225 packets from arriving out of state Drops video or audio Controls H.245 tunneling Allows calls to be set up from outside endpoints to inside gateways service by an HSI appliance to perform the following actions: Block rogue callers by filtering on called and calling phone numbers: You can use regular expressions to define phone numbers, You can then use the regular expressions in policy maps to prevent calls to and from the phone numbers you defined. Restrict call duration: You can specify a call duration for H.323 calls, or you ean specify that H.323 calls never time out Track protocol state: You can con H.323. re the security appliance to check state transition on Block specific H.323 services while allowing all other H.323 traffic: You can restrict the H.323 services that can be used on your network. For example, you can block chat and whiteboard services by dropping certain control messages but still allow normal audio and video traffic to traverse the security appliance. Prevent RAS and H.225 packets from arriving out of state: You can enable strong state checking on RAS and H.225 call setup. Drop video or audio traffic: You can allow or disallow video or audio traffic through the security appliane Block H.245 tunneling: You can configure the security appliance to drop the connection and generate a log when it detects H.245 tunneling. Allow calls to be set up from outside endpoints to inside gateways service by an HSI: The Cisco H.323 Signaling Interface (HSI) interoperates with the Cisco PSTN Gateway 2200 Softswitch to enable calls between the public switched telephone network (PSTN) and the H.323 network. HSI provides translation of signaling protocols for establishin, controlling, and releasing calls. ‘Al-12 Securing Networks with Cisco ASA Advanced (SNA) v1.0, © 2008 Cisco Systems, Inc Class Maps Haz: Inspect Maps Haz: By using the Firewall > Objects menus, you can configure both Layer 7 class maps policy maps for H.323. In either a Layer 7 class map or a Layer 7 policy map, y configure match conditions for called parties, calling parties, or media types. The following example uses the media type criterion to block chat and whiteboard services by dropping the T.120 control messages but allows normal audio and video traffic to pass through the Cisco ASA security appliance: asal (config) # policy-map type inspect h323 MY_H323_MAP asal(config-pmap)# match media-type data asal (config-pmap-c) # drop asai (config-pmap-c) #exit asal (config-pmap) #exit asal(config)# policy-map global-policy asal(config-pmap)# class inspection default asal(config-pmap-c)# inspect h323 ras MY_H323_MAP asal(config-pmap-c)# inspect h323 h225 MY H323_MAP ‘© 2008 Cisco Systems, Ine. Handling Multimedia Protocols A1-13 SIP Inspection This topic describes SIP inspection and explains how to configure SIP Inspection == were fe] fae mt + Enables SIP * Default port = 5060 * Enabies Cisco ASA security appliance to support any SIP VoIP gateways and VolP proxies. Signaling mechanism (SIP) Mutimedia (RTP, RTCP) SIP is an application layer control protocol used to set up and tear down multimedia sessions. These multimedia sessions include Internet telephony and similar applications, SIP uses RTP for media transport and RTCP for providing a quality of service (QoS) feedback loop. Using SIP, your Cisco ASA security appliance can support any SIP VoIP gateways and VoIP proxy servers, To support SIP calls through the security appliance, signaling messages for the media connection addresses, media ports, and embryonic connections for the media must be inspected; although the signaling is sent over a well-known destination port (UDP or TCP 5060), the media streams are dynamically allocated, SIP is a text-based protocol and contains IP addresses throughout the text With SIP inspection enabled, the security appliance inspects the packets, and both NAT and PAT are supported. By default, the Cisco ASA security appliance inspects port 5060 connections for SIP traffic. If there are network devices using ports other than the default ports, you need to use a class map to identify these other traffic flows with their different port numbers. The show conn state s command can be used to display all active SIP connections. Note The Cisco ASA security appliance also supports SIP proxies. ‘Ai-14 Securing Networks with Cisco ASA Advanced (SNA) v1.0 © 2008 Cisco Systems, Inc Advanced SIP Inspection * Rate-limit SIP messages Block non-RFC-compliant SIP packets Prevent blacklisted users from using IM over SIP Prevent access to illegal or dangerous URIs Prevent exploitation of SIP endpoints or servers Disable IM over SIP Block unrecognized SIP messages Block SIP packets arriving out of state Prevent non-RTP traffic from traversing the media pinholes Block rogue callers Limit SIP traffic to specific domains Restrict the content length and type of SIP messages Advanced SIP inspection enables you to configure the Cisco ASA security appliance to prevent attacks and restrict or deny certain applications. The figure outlines the following e: of this feature: = Rate-timit SIP messages: For example, you can rate-limit invite messages to 100 messages per second. If the number of invite messages exceeds 100 messages per second on an interface, the connection will be dropped. This feature can be used to protect internal servers and endpoints from being flooded by invite messages and thereby causing a denial of service (DoS) attack. = Block non-RFC-compliant SIP packets: The SIP RFC compliance check is only for the syntax rules in RFC 3261. Therefore, if a packet conforms to RFC 2543 but not to RFC 3261, validation check will fail, = Prevent blacklisted users from using instant messaging (IM) over SIP. = Prevent access to illegal or dangerous Uniform Resource Identifiers (URIs): The alert- info and call-info fields in a SIP message can contain URIs, and the use of these header fields can pose a security risk. Ifa called party fetches the URIs provided by a malicious caller, the called party may be at risk for displaying inappropriate, dangerous or illegal content. The alert-info and call-info fields are optional, and their use is discouraged by the RFC. You can use the Mask action to mask the information in them, = Prevent exploitation of SIP endpoints or servers: The Server and User-Agent head fields contain the version of the server. Revealing the software version can make the server vulnerable to any security attacks that exploit security holes in that software version. These fields are optional, and their use is discouraged by the RFC. You can mask the Server and User-Agent fields, = Disable IM: You can disable IM over SIP. = Block unrecognized SIP messages: You can block no port 5060. -SIP traffic on the well: © 2008 Cisco Systems, ine Handling Multimedia Protocols 1-15 ™ Block SIP packets arriving out of state: Every SIP packet has to go through a state machine. You can configure the Cisco ASA security appliance to drop any SIP packet that arrives out of state based on RFC 3261 = Prevent non-RTP traffic from traversing the media pinholes: You can configure the security appliance to drop any RTP packet traversing the media pinholes that does not conform to the RTP protocol. You also can configure the security appliance to require that the payload is audio or video based on the signaling exchange. = Block rogue eallers: For example, you can cont Jog all SIP invite packets from speci ure the security appliance to block and c SIP endpoints = Limit SIP traffic to specific domains: For example, you could limit invite packets with example.com in their To header field to 500 packets per second. The Called Party match criterion is used to identity the called party as specified by the value in the To header field = Restrict the content length and type of SIP messages: For example, you can ensure that only SIP packets of Content Type “application/sdp” with a content length less than 500 are allowed through the security appliance. With advanced SIP inspection, you also can configure the security appliance to do the followi = Drop SIP packets with invalid max-forwards fields: The max-forwards field in the SIP packet indicates the maximum number of hops the packet can take before it reaches its destination. The field value must not be zero when the security appliance receives the packet. You can configure the security appliance to close the connection the max-forwards field is zero. and log an error if = Provide privacy to end customers: You can configure the security appliance to enable IP address privacy. This means that even if two endpoints or servers are on the inside network, their real addresses are hidden from each other. = Block SIP traffic from rogue proxy servers: You can configure the security appliance to drop and log all SIP packets that are sent through two SIP servers. = Allow only administrators to perform third-party registrations: With SIP, it is possible for a user to register another user with the registrar server. You can determine if this has happened by checking the From field header value and the To field header value in the REGISTER message. If the values are different, a user has attempted third-party registration & Prevent buffer overflow attacks: For example, you can configure the security appliance to drop all SIP register packets that contain a SIP URI or a non-SIP URI of a length greater than 500 in the From header, To header, or Contact header. Al-18 Securing Networks with Cisco ASA Advanced (SNAA) v1.0 (© 2008 Cisco Systems, Inc Configuring Advanced SIP Inspection By using the Firewall > Objects menus in Cisco ASDM, you can configure both Layer 7 class maps and Layer 7 policy maps for SIP. In either a Layer 7 class map or a Layer 7 policy map. ‘you can configure match conditions for the following criteria: Called party Calling party Content length Content type IM subscriber Message path Request method Third-party registration = URI length © 2008 Cisco Systems, Inc Handing Multimedia Protocols 1-17 The following example uses the request method criterion to limit INVITE messages to 50 messages per second. If the number of INVITE messages exceeds 50 messages per second on erface, the connection will be dropped. ‘This feature can be used to protect internal servers and endpoints from being flooded by INVITE messages that could cause a DoS attack. asal (config) #policy-map type inspect sip MY SIP_MAP asal (config-pmap) #parameters asal(config-pmap-p)# match request-method invite asal(config-pmap-c) # rate-limit 50 asal (config) #policy-map global_policy asal (config-pmap) class inspection default asal (config-pmap-c) #inspect sip MY_SIP MAP ‘A118 Securing Networks with Cisco ASA Advanced (SNAA) v1.0 © 2008 Cisco Systems, Inc SCCP Inspection This topic describes SCCP inspection and explains how to configure it SCCP (Skinny) inspection isco Unified Communications Manager = Supports SCCP used by Cisco IP phones * Enables SCCP signaling and media packets to traverse the Cisco ‘ASA security appliance (default port 2000) ~ Dynamically opens negotiated ports for media sessions * Can coexist in an H.323 environment In Cisco PIX Firewall Software Version 6.0 and higher, the security appliance application handling supports SCP, used by Cisco IP phones for VoIP call signaling. SCCP defines the set of messages that is needed for a Cisco IP phone to communicate with the Cisco Unified ‘Communications Manager for call setup. Cisco IP phones use a randomly selected TCP port to send and receive SCCP messages. Cisco Unified Communications Manager listens for SCCP messages at TCP port 2000. SCP uses RTP and RTCP for media transmissions. The media ports are randomly selected by the Cisco IP phones. SCCP inspection enables the Cisco ASA security appliance to dynamically open negotiated ports for media sessions. An application layer ensures that all SCCP signaling and media packets can traverse the security appliance and interoperate with H.323 terminals, SCCP support allows a Cisco IP phone and Cisco Unified Communications Manager to be placed on separate sides of the security appliance. SCCP inspection is enabled by default to listen for SCCP messages on port 2000. If there are network devices using ports other than the default ports, you need to identify these other traffic flows with their different port numbers as specified in the first topic of this lesson. (© 2008 Cisco Systems, Inc. Handling Multimedia Protocols 1-19 Advanced Skinny. Advanced Skinny Inspection SOHO Cisco Unified es 3 ‘Communications Manager = Enforces registration to prevent rogue phone calls * Specifies the maximum length of the SCCP prefix in Skinny messages * Restricts services on endpoints = Prohibits unrecognized Skinny messages = Improves connection usage efficiency * Prevents potential misuse of idle media connections spection enables the Cisco ASA security appliance to do the following: Enforce registration to prevent rogue phone calls. Prevent buffer overflow attacks by sett Skinny messages. 12 the maximum length of the SCP prefix in Restrict services on endpoints. The security appliance can prohibit certain features and functionalities on endpoints by dropping messages that are related to those features and functionalities. Prohibit unrecognized Skinny messages. Using the Message ID criterion to set a maximum Skinny message value can block undefined or unrecognized Skinny messages. For example, if Skinny version x defines messages up to 0x200, you can enter the command message-id max 0x200 to allow these messages. Message IDs greater than 0x200 will be dropped. Improve connection usage efficiency. By default, idle TCP Skinny signaling connections time out after one hour. You can configure these connections to time out sooner for more efficient connection usage. Prevent potential misuse of idle media connections. By default, media connections from Skinny audio and video calls time out in five minutes. To use these connections more efficiently and prevent potential misuse, you can configure them to time out sooner. ‘A1-20 Securing Networks with Cisco ASA Advanced (SNA) v1.0 © 2008 Cisco Systems, Inc Configuring Advanced Skinny Inspection Inspect Maps SCOP (Skinny) By using the Firewall > Objects menus in Cisco ASDM, you can configure Layer 7 policy maps for Skinny. In a Layer 7 policy map, you can configure match conditions for the Station Message ID field in Skinny messages. The following example uses the message ID criterion to prevent keypad messages from being sent from an endpoint. When applied to a Layer 3/4 policy map and activated, this configuration essentially prevents users from dialing from the phone using a keypad and prevents the use of speed dial. The 0x03 parameter specifies the keypad message, and 0x04 specifies the speed dial message. asal (config) #policy-map type inspect skinny MY_SKINNY MAP asal (config-pmap) #match message-id range 0x03 0x04 asal (config-pmap-c) drop log (© 2008 Cisco Systems, Inc Handling Multimedia Protocols 1-21 CTIQBE Inspection This topic describes CTIQBE inspection and explains how to configure it CTIQBE Inspection SOHO_ Cisco Unified (isco IP SofiPhone 1 Communications Manager = = 83-9 Joc Und Communicators Wurage iP Phone RTP ‘Supports CTIQBE protocol used by Cisco IP SoftPhones for desktop or laptop PC applications, such as collaboration Enables signaling and media packets to traverse the Cisco ASA security appliance (default port 2748) Dynamically opens negotiated ports for media sessions ‘Support disabled by default The Telephony Application Programming Interface (TAPL) and Cisco Unified Communications Manager Java TAPI (JTAPI) are used by many Cisco VoIP applications. Cisco PIX Firewall Software Version 6.3 introduced support for a specific protocol, CTIQBE, which is used by the Cisco TAPI service provider to communicate with Cisco Unified Communications Manager Support for this protocol is disabled by default. By default, the Cisco ASA security appliance inspects port 2748 connections for CTIQBE. traffic. If there are network devices using ports other than the default ports, you need to identify these other traffic flows with their different port numbers. ‘1-22 Securing Networks with Cisco ASA Advanced (SNAA) v1.0 © 2008 Cisco Systems, Inc. CTIQBE Inspection (Cont.) SOHO - Cisco Unified Cisco IP SatiPhone ‘Communications Manager = Supports NAT, PAT, and bidirectional NAT; this enables Cisco IP SoftPhone and other Cisco TAPI and JTAPI applications to work ‘successfully with Cisco Unified Communications Manager for call setup across the security appliance. = TAPI and JTAPI are used by many Cisco VoIP applications CTIQBE protocol inspection supports NAT, PAT, and bidirectional NAT. This enables Cisco IP SoftPhone and other Cisco TAPI and JTAPI applications to work successfully with Cisco, Unified Communications Manager for call setup across the security appliance. TAPI and JTAPL are used by many Cisco VoIP applications. CTIQBE is used by Cisco TSP to communicate with Cisco Unified Communications Manager © 2008 Cisco Systems, Inc Handing Multimedia Protocols 1-23, MGCP Inspection This topic describes MGCP inspection and explains how to configure it MGCP Inspection Cat Agent feed cee eee ha odgaae eer! oat: _Gotonay 10 6 nt r = MGCP inspection inspects messages passing between call agents and media gateways. Port 2427 (port on which gateway receives commands) ~ Port 2727 (port on which call agent receives commands) * MGCP inspection dynamically opens negotiated ports for media sessions, = With multiple call agents configured, connections are opened for all of the call agents configured for a particular MGCP gateway group, Cisco PIX Firewall Sofiware Version 6.3 introduced support for application inspection of MGCP. MGCP is used for controlling media gateways from external call control elements called media gateway controllers or call agents. A media gateway is typically a network element that provides conversion between the audio signals carried on telephone circuits and the data packets carried over the Internet or over other packet networks. The following are examples of media gateways’ = Trunking gateway: Provides an interface between the telephone network and a VoIP network. Such gateways typically manage a large number of digital circuits. = Residential gateway: Provides a traditional analog (RJ-1 1) interface to a VoIP network. Examples of residential gateways include eahle modems and cable set-top boxes, DSI devices, and broadband wireless devices. = Business gateway: Provides a traditional digital PBX interface or an integrated soft PBX interface to a VoIP network. MGCP messages are transmitted over UDP. To use MGCP, you typically need to configure at least two ports—one on which the gateway receives commands and one for the port on which the call agent receives commands, Normally, a call agent will send commands to port 2427, and a gateway will send commands to port 2727, Audio packets are transmitted over an IP network using RTP. MGCP inspection enables the Cisco ASA security appliance to securely open negotiated UDP ports for legitimate media connections through the security appliance. ‘Securing Networks with Cisco ASA Advanced (SNAA) v1 0 © 2008 Cisco Systems, Inc Advanced MGCP Inspection Call Agent Media Gateway — $ 10.015 Group 101 reais og -y Group 101 £ 10017 cio 11 * Specifies the maximum number of commands to queue * Configures groups of gateways and call agents MGCP messages are transmitted over UDP. When an MGCP gateway sends a command to the call agent, it might not receive a response from the same call agent that the command was sent to. Multiple call agents can be configured. If multiple call agents are configured, connections are opened for all the call agents configured for a particular MGCP gateway (group id). You can use a Layer 7 MGCP policy map to configure the gateway, call agents, and the size of the command queue. The Command Queue parameter allows you to configure the maximum number of commands to queue. Valid values are | to 2147483647. (© 2008 Cisco Systems, Inc. Handling Multimedia Protocols 1.25 By using the Firewall > Objects menus in Cisco ASDM, you can configure Layer 7 policy maps for MGCP. In a Layer 7 policy map, you ean specify a group of call agents that ca manage one or more gateways. Call agents with the same group ID belong to the same group. A call agent can belong to more than one group. By associating a call agent group ID with a gateway, you can specify which group of call agents can manage the gateway. A gateway can only belong to one group. In the following example, a media gateway and two call agents are specified by configuring a Layer 7 MGCP policy map. Call agents 10.0.1.5 and 10.0.1.7 are assigned to group 101 Gateway 192.168.1.115 also is assigned to group 101; therefore, call agents 10.0.1.5 and 10.0.1.7 can manage gateway 192.168.1.115. asa (config) #policy-map type inspect mgcp MY_MGCP_MAP asal (config-pmap) tparameters asal (config-pmap-p) #call-agent 10.0.1.5 101 asal (config-pmap-p)#call-agent 10.0.1.7 101 asal (config-pmap-p) #gateway 192.168.1.115 101 ‘1-28 Securing Networks with Cisco ASA Advanced (SNA) v1.0 {© 2008 Cisco Systems, Ine Verifying Multimedia Support This topic explains how to verify your multimedia inspection configurations. Verifying and Monitoring H.323 Inspection * Display information for H.226 sessions ~ show h225 » Troubleshoot H.323 inspection engine issues ~ show h225 debug h323 h225 event debug h323 h245 event ~ show local-host * Display information for H.245 sessions ~ show h245 ‘The show h225 command displays information for H.225 sessions established across the Cisco ASA security appliance. Along with the debug h323 h225 event, debug h323 h245 event, and show local-host commands, this command is used for troubleshooting H.323 inspection engine issues. Before entering the show h225, show h245, or show h323-ras commands, it is recommended that you configure the pager command. If there are many session records and the pager command is not configured, it can take a while for the show command output to reach its end. If there is an abnormally large number of connections, check that the sessions are timing out based on the default timeout values or the values you set. If they are not, there is a problem that needs to be investigated, The following is sample output from the show h225 command: hostname# show h225 Total H.323 Calls: 1 1 Concurrent Call(s) for Local: 10.130.56.3/1040 Foreign: 172.30.254.203/1720 2. CRV 9862 Local: 10.130.56.3/1040 Foreign: 172.30.254.203/1720 © Concurrent Call1(s) for Local: 10.130.56.4/1050 Foreign: 172.30.254.205/1720 (© 2008 Cisco Systems, Inc. Handling Multimedia Protocols 1-27 This output indicates that there is currently one active H.323 call going through the Cisco ASA security appliance between the local endpoint 10.130.56.3 and foreign host 172.30.254.203, and for these particular endpoints, there is one concurrent call between them, with a call reference value (CRV) of 9861 for that call For the local endpoint 10.130.56.4 and foreign host 172.30.254.205, there are no concurrent calls. This means that there is no active call between the endpoints even though the H.225 session still exists. This could happen if, at the time of the show h225 command, the call has already ended, but the H.225 session has not yet been deleted. Alternately, it could mean that the two endpoints still have a TCP connection opened between them because they set “maintainConnection” to TRUE, so the session is kept open until they cet it to FALSE again, or until the session times out based on the H.225 timeout value in your configuration. Av28 ‘Securing Networks with Cisco ASA Advanced (SNAA) v1.0 © 2008 Cisco Systems, Inc. Verifying and Monitoring H.323 Inspection (Cont.) = Troubleshoot H.323 inspection engine issues ~ debug h323 h245 event debug h323 h225 event ~ show local-host show h245 * Display information for H.323 RAS sessions show h323-ras ~ Troubleshoot H.323 RAS inspection engine issues debug h323 ras event show local-host The show h245 command displays information for H.245 sessions established across the Cisco ASA security appliance by endpoints using slowstart. Slowstart is when the two endpoints af a call open another TCP control channel for H.245. (Faststart is where the H.245 messages are exchanged as part of the H.225 messages on the H.225 control channel.) Along with the debug 4323 h245 event, debug h323 h225 event, and show local-host commands, the show h245 command is used for troubleshooting H,323 inspection engine issues. The following is sample output from the show h245 command: hostname# show h245 Total: 1 LOCAL TeKT FOREIGN TPKT 1 10.130.56.3/1041 0 —«172.30.254.203/1245 0 MEDIA: LCN 258 Foreign 172.30.254.203 RTP 49608 RTCP 49609 Tocal 10.130.56.3 RTP 49608 RTCP 19609 MEDIA: LCN 259 Foreign 172.30.254.203 RTP 49606 RTCP 49607 Local 10.130.56.3 RTP 49606 RTCP 49607 There is currently one H.245 control session active across the Cisco ASA security appliance. The local endpoint is 10.130.56.3, and the next packet from this endpoint is expected to have a transport protocol data unit packet (TPK) header because the TPKT value is 0. The TKTP header is a 4-byte header preceding each H.225 and H.245 message. It gives the length of the message, including the 4-byte header. The foreign host endpoint is 172.30.254.203, and the next packet from this endpoint is expected to have a TPKT header because the TPKT value is 0 ‘The media negotiated between these endpoints have a logical channel number (LCN) of 258. with a foreign RTP IP address/port pair of 172.30.254.203/49608 and an RTCP IP address/port of 172.30.254.203/49609, and with a local RTP IP address/port pair of 10.130.36.3/49608 and an RTCP port of 49609. (© 2008 Cisco Systems, Inc. Handling Multimedia Protocols 1-29 The second LCN of 259 has a foreign RTP IP address/port pair of 172.30.254.203/49606 and an RTCP IP address/port pair of 172.30.254.203/49607, and a local RTP IP address/port pair of 10.130.56.3/49606 and RTCP port of 49607. ‘The show h323-ras command displays information for H.323 RAS sessions established across the Cisco ASA security appliance between a gatekeeper and its H.323 endpoint. Along with the debug h323 ras event and show local-host commands, this command is used for troubleshooting H.323 RAS inspection engine issues ‘The show h323-ras command displays connection information for troubleshooting H.323 inspection engine issues. The following is sample output from the shaw h323 ras command hostname# show h323-ras Total: 1 cK caller 172.30.254.214 10.130.56.14 This output shows that there is one active registration between the gatekeeper 172.3 and its client 10.130.56.14. ‘A1-30 Securing Networks with Cisco ASA Advanced (SNA) v1.0 © 2008 Cisco Systems, Inc Verifying and Monitoring SIP Inspection = Troubleshoot SIP inspection engine issues ~ show sip ~ debug sip ‘show local-host © Display the SIP timeout value show timeout sip The show sip command assists in troubleshooting SIP inspection engine issu s described with the inspect protocol sip udp 5060 command. The show sip command displays information for SIP sessions established across the Cisco ASA security appliance. Along with the debug sip and show local-host commands, this command is used for troubleshooting SIP inspection engine issues. The show timeout sip command displays the timeout value of the designated protocol. Note !tis recommended that you configure the pager command before entering the show sip command. If there are a lot of SIP session records, and the pager command is not Configured, it takes a while for the show sip command output to reach its end, The following is sample output from the show sip command hostname# show sip Total: 2 call-id c3943000-960ca-2e43-228f010.130.56.44 state Call init, idle 0:00:01 call-id 3943000-860ca-7e1£-11£7010.130.56.45 state Active, idle 0:00:06 This sample shows two active SIP sessions on the Cisco ASA security appliance (as shown in the Total field). Each call-id represents a call. (© 2008 Cisco Systems, Inc Handling Multimedia Protocols 1-31 ‘The first session, with the call-id c3943000-960ca-2e43-228/@ 10.130.56.44, is in the state Call Init, which means the session is still in call setup. Call setup is not complete until a final response to the call has been received. For instance, the caller has already sent the INVITE, and may have received a 100 Response, but has not yet seen the 200 OK, so the call setup is not complete yet. Any non-1xx response message is considered a final response. This session has been idle for | second. The second session is in the state Active, in which call setup is complete and the endpoints are exchanging media. This session has been idle for 6 seconds. ‘1-32 Securing Networks with Cisco ASA Advanced (SNAA) v1.0 \© 2006 Cisco Systems, Inc Verifying and Monitoring SCCP. Inspection * Troubleshoot SCCP (Skinny) inspection engine issues ~ show skinny debug skinny The show skinny and debug skinny commands assist in troubleshooting SCCP (Skinny) inspection engine issues. The following is sample output from the show skinny command under the following conditions. There are two active Skinny sessions set up across the Cisco ASA security appliance. The first one is established between an internal Cisco IP phone at local address 10.0.0.11 and an external Cisco Unified Communications Manager at 172.18.1.33. TCP port 2000 is the Cisco Unified Communications Manager. The second one is established between another internal Cisco IP phone at local address 10.0.0.22 and the same Cisco Unified Communications Manager. hostname# show skinny LOCAL FOREIGN STATE 2 10.0.0.11/52238 172.18.1.33/2000 an MEDIA 10.0.0.11/22948 172.18.1.22/20798 2 10.0.0.22/52232 172.18.1.33/2000 2 MEDIA 10.0.0.22/20798 172116.1.11/22948 The output indicates that a call has been established between two intemal Cisco IP phon RTP listening ports of the first and second phones are UDP 22948 and 20798, respectively The The following is sample output from the show xlate debug command for these Skinny connections: hostnames! show xlate debug 2 in use, 2 most used Flags: D - DNS, d - dump, I - identity, i - inside, n - no random, r - portmap, s - static NAT from inside:10.0.0.11 to outside:172.18.1.11 flags si idle 0:00:16 timeout 0:05:00 NAT from inside:10.0.0.22 to outside:172.18.1.22 flags si idle 0:00:14 timeout 0:05:00 © 2008 Cisco Systems, Inc. Handling Multimedia Protocols 1-33, Verifying and Monitoring CTIQBE Inspection * Display debug messages for CTIQBE application inspection ~ debug ctiqbe * Display information regarding CTIQBE sessions - show ctiqbe * Display the status of C TIQBE connections ~ show conn state ctiqbe ~ show conn state ctiqbe detail You can use the debug etiqhe command and several show commands to assist you in troubleshooting CTIQRE issues The debug etiqhe command shows debug messages for CTIQBE application inspection, The show ctiqbe command displays information regarding the CTIQBE sessions established across the Cisco ASA security appliance. It shows information about the media connections allocated by the CTIQBE inspection engine, The following is sample output from the show etiqbe command under the following conditions. There is only one active CTIQBE session set up across the security appliance. | established between an internal computer telephony interface (CTI) device (for example, a Cisco IP SoftPhone) at local address 10.0.0.99 and an external Cisco Unified Communi Manager at 172.29.1.77, where TCP port 2748 is the Cisco Unified Communications M The heartbeat interval for the session is 120 seconds. hostname# # show ctigbe Total: 1 LOCAL FOREIGN STATE HEARTBEAT 1 10.0.0.99/1117 172.29.1.77/2748 1 120 RIP/RTCP: PAT xlates: mapped to 172.29.1.99(1028 - 1029) MEDIA: Device ID 27 call 1D 0 Foreign 172.29.1.99 (1028 - 1029) Local 172.29.1.88 (26022 - 26023) ‘A1-34 Securing Networks with Cisco ASA Advanced (SNAA) v1.0 "© 2008 Cisco Systems, Ine ‘The CTI device has already registered with the Cisco Unified Communications Manager. The device internal address and RTP listening port are translated using PAT to 172.29.1.99 UDP port 1028. Its RTCP listening port is translated by PAT to UDP 1029. The line beginning with RTP/RTCP: PAT xlates: appears only if an internal CTI device has registered with an external Cisco Unified Communications Manager and the CTI device address and ports are translated by PAT to that external interface. This line does not appear if the Cisco Unified Communications Manager is located on an internal interface, or if the internal CTI device address and ports are translated to the same external interface that is used by the Cisco Unified Communications Manager ‘The output indicates that a call has been established between this CTI device and another phone at 172.29.1.88. The RTP and RCP listening ports of the other phone are UDP 26822 and 26823. The other phone locates on the same interface as the Cisco Unified Communications Manager because the security appliance does not maintain a CTIQBE session record associated with the second phone and Cisco Unified Communications Manager. The active call leg on the CTI device side can be identified with Device ID 27 and Call 1D 0. ‘The following is sample output from the show xlate debug command for these CTIQBE ‘connections: hostname# show xlate debug 3 in use, 3 most used Flags: D - DNS, d - dump, T - identity, i - inside, n - no random, r - portmap, s - static TCP PAT from inside:10.0.0.99/1117 to outside:172.29.1.99/1025 flags ri idle timeout 0:00:30 UDP PAT from inside:10.0.0.99/16 0:00:00, timeout 0:04:10 UDP PAT from inside:10.0.0.99/16909 to outside:172.29.1.99/1029 flags ri idle 0:00:23, timeout 0:04:10 to outside:172.29.1.99/1028 flags ri idle ‘The show conn state etighe command displays the status of CTIQBE connections. In the output, a“C” flag denotes the media connections allocated by the CTIQBE inspection engine ‘The following is sample output from the show conn state etiqhe command: hostname# show conn state ctighe 1 in use, 10 most used hostname} show conn state ctighe detail 1 in use, 10 most used Flags: A SYN, awaiting inside ACK to SYN, a - awaiting outside ACK to B - initial SYN from outside, C - CTIQBE media, D - DNS, d - dump, E - outside back connection, F - outside FIN, f - inside FIN, G - group, g - MGCP, H - H.323, h - H.225.0, I - inbound data, i - incomplete, J - GTP, j - GTP data, k - Skinny media, M - SMTP data, m - SIP media, © - outbound data, P - inside back connection, q - SQL*Net data, R - outside acknowledged FIN, R - UDP RPC, x - inside acknowledged FIN, S - awaiting inside ox, 8 - awaiting outside SYN, T - SIP, t - SIP transient, U - up © 2008 Cisco Systems, nc Handling Multimedia Protocols 1.35, Verifying and Monitoring MGCP Inspection * Display detailed information about MGCP application inspection ~ debug mgcp * List the number of MGCP commands in the command queue ~ show mgep commands show mgcp commands detail * List the number of existing MGCP sessions ~ show mgep sessions ~ show mgcp sessions detail You can use the debug mgep command and several show commands to assist you in troubleshooting MGCP issues. The debug mgep command displays detailed information about MGCP application inspection. ‘The show mgep commands command lists the number of MGCP commands in the command queue. The show mgep sessions command lists the number of existing MGCP sessions. The detail option includes additional information about each command (or session) in the output. ‘The following is sample output from the show mgep commands command: hostname# show mgcp commands 1 in use, 1 most used, 200 maximum allowed CRCX, gateway IP: host-pc-2, transaction ID: 2052, idle: 0:00:07 The following is sample output from the shaw mgep det mmand hostname# show mgcp commands detail 1 in use, 1 most used, 200 maximum allowed CRCX, idle: 0:00:10 Gateway IP host-pe-2 Transaction ID 2052 Endpoint name aaln/1 cali ID 9876543210abcdef Connection ID Media IP 192.168.5.7 Media port 6058 A136 ‘Securing Networks with Cisco ASA Advanced (SNAA) v1.0 © 2008 Cisco Systems, Inc The following is sample output from the show mgep ses ns command: hostname show mgep sessions 1 in use, 1 most used Gateway IP host-pe-2, connection ID 6789af54c9, active 0:00:11 The following is sample output from the show mgep sessions detail command: hostname# show mgep sessions detai 1 in use, 1 most used Session active 0:00:14 Gateway 1B call ID Connection ID Endpoint name Media 1cl port Media rmt IP Media rmt port host-pe-2 987654321 0abcdef 6789af54c9 aaln/1 6166 192.168.5.7 6058 © 2008 Cisco Systems, nc Handling Multimedia Protocols A1-37 Summary This topic summarizes the key points that were discussed in this appendin. Summary * Ihe Cisco ASA security appliance dynamically opens and closes. UDP ports for secure multimedia connections. * The security appliance supports multimedia with or without NAT. = The security appliance handles such multimedia protocols as RTSP, RTP, SCCP, SIP, MGCP, and H.323. ‘A138 Securing Networks with Cisco ASA Advanced (SNAA) v1.0 © 2008 Cisco Systems, Inc Appendix | Using Cisco ASA Multicast Overview This appendix explains the multicast capabilities of the Cisco ASA adaptive security appliance. It begins with a look at the differences between Internet Group Management Protocol (IGMP) and Product Independent Multicast (PIM) sparse mode. Then it explains how to configure IGMP, PIM, and multicast static routes. Finally, it explains various commands to verify and to aid troubleshooting the multicast configuration of the security appliance. Objectives This appendix includes these components: Differences between IGMP and PIM. = Configure the security appliance for IGMP using Cisco ASDM = Configure the security appliance for PIM using Cisco ASDM Appropriate commands to verify and troubleshoot the multicast configuration of the security appliance Multicast This topic deseribes the differences between IGMP and PIM. What Is Multicast? w Not a Muiteast J —maticast Cent “ Multicast eet ae 5 Chenis —$§ recent Corporate pty“ Steam Itis a protocol for sending IP datagram packets from one source to interested receivers, {tis different from other one-to-many protocols like broadcast because receivers must have multicast enabled to receive the stream. ‘An IP datagram is transmitted to a set of hosts identified by a single IP. destination address or multicast address, A reserved block of IP addresses are used for multicast: 224.0.0.0/4 or 224.0.0.0 to 230.256.255.266. IP multicasting is a bandwidth-conserving technology tha delivering a single stream of information from a single source to multiple recipients. Some applications that take advantage of multicasting include Cisco TelePresence, videoconferencing, corporate communications, distance learning, distribution of sofiware, stock quotes, and news feeds. Unlike broadcast, which floods the network for all hosts to receive, hosts that wish to receive multicasts must enable it by joining a multicast host group, and routers that forward IP multicast datagrams must know which hosts belong to which group. reduces traffic by simultaneously IP multicasting is actually the transmission of an IP datagram to a “host group.” a set of hosts identified by a single IP destination address. In order for this to work, hosts that wish to receive multicasts must “tune in” to the multicast by joining a multicast host group, and routers that forward multicast datagrams must know which hosts belong to which group. Routers discover this information by sending IGMP query messages through their attached local networks. Host members of a multicast group respond to the query by sending IGMP reports noting the multicast group to which they belong. If host is removed from a multicast group, it sends a “leave” message to the multicast router. The transmission of the IP datagram packets is actually sent to a single IP address that is assigned to a multicast group. This IP address is used by all members of thi the multicast transmission. These destination IP addresses fall with addresses that are only for multicast. This block of res 224.0.0.0 to 239.255.255.255. group to receive reserved block of ed addresses is 224.0.0.0/4 or A2-2 Securing Networks with Cisco ASA Advanced (SNAA) v1.0 © 2008 Cisco Systems, Inc IGMP vs. PIM ‘Sones, Muticast Router Outside ¥ losis 3 Muttcast ere ? Clients ee em — | ——sr —| = IGMP is used within the local network to register IP multicast-enabled hosts into groups so that adjacent routers can better facilitate multicast * PIM is used for passing multicast within routing domains and relies on the IP routing table or multicast routing table to determine the path to take to @ multicast-enabled host = PIM enables the IP multicast traffic to cross a WAN, while IGMP delivers IP multicast traffic to hosts within a LAN. Routers discover which clients want to join a multicast group by sending IGMP query messages through their attached local networks. Host members ofa multicast group respond to the query by sending IGMP reports noting the multicast group to which they belong. Ifa host is removed from a multicast group, it sends a “leave” message to the multicast router In PIM sparse mode, each data stream goes to a relatively small number of segments in the campus or WAN. Instead of flooding the network to determine the status of multicast members, PIM sparse mode defines a rendezvous point. The rendezvous point keeps track of multicast groups that were established by IGMP. When a user wants to send data, the user first sends to the rendezvous point. When a user wants to receive data, the user registers with the rendezvous point through IGMP. After the data stream begins to flow from sender to rendezvous point to receiver, the routers in the path will optimize the path automatically to remove any unnecessary hops. PIM sparse mode assumes that no hosts want the multicast traffic unless they specifically ask for it. Sparse mode begins with an empty distribution tree and adds branches only as the result of explicit requests to join the distribution. PIM sparse mode is optimized for environments in which there are many multipoint data streams. PIM sparse mode is most useful in the following situations: © When there are few rec ers a group © When the type of traffic is intermittent PIM and IGMP differ in what they offer for multicast sender and receiver. PIM is the protocol used to send multicast over a WAN using multicast routing or unicast routing information Once the multicast traffic reaches a rendezvous point (RP), IGMP-enabled routers send the stream to clients that have registered to receive it (© 2008 Cisco Systems, nc. Using Cisco ASA Mutticast —A2-3 Cisco ASA Multicast Features Mutcast owe ‘Senet Multicast Mutveast rp Router oer Outside yg sce * Itcan perform IGMP functions, but itis basically a proxy for IGMP receivere to neighboring IGMP-enabled routers. (Diagram Above) OR (einer resvor) ~ Itcan perform PIM-SM and bidirectional PIM in which the PIM- receiving interface becomes the rendezvous point. (Diagram Below) rn Sy i j—s__—_s..9.6- na) teed ae ae tase Pusu In Cisco PIX Firewall Software Version 6.2 and later and Cisco ASA and PIX Security Appliance Sofiware Version 70 and later, stub multicast routing (SMR) is supported thro static multicast routes, which enables the Cisco ASA security appliance to pass multi traffic. This feature is necessary when hosts that need to receive multicast transmissions are separated from the multicast router by a security appliance. With SMR, the security appliance acts as an IGMP proxy agent. It forwards IGMP messages from hosts to the upstream mul router, which takes responsibility for forwarding multicast datagrams from one multicast group to all of otier networks that have members in the group. The Cisco ASA security appliance can be configured for PIM sparse mode (PIM-SM) or bidirectional PIM. When it is configured for PIM sparse mode, the security appliance will use the underlying unicast routing information, or it will use multicast static routes if defined, 10 forward the IP datagram packet on through the multicast path. This process is unidirectional With no consideration given to returning client connections, In bidirectional PIM, the security appliance participates in building bidirectional paths between both sender and receiver. This ‘enables a

    You might also like